Professional Documents
Culture Documents
This advanced three-day course provides the knowledge and skills necessary to analyze the New Microsoft
Windows 8 operating system artifacts, user data and file system mechanics in Storage Spaces using the Forensic
Toolkit (FTK), FTK Imager and Registry Viewer. During this three-day workshop, participants will review Windows
8 features, learn of artifact locations for Internet Explorer and Immersive Application cache data, describe the new
File History service and artifact processing. Students will also review Windows 8 artifacts such as Virtual Hard
Disks, Storage Pools and updated NTFS structures finishing with an overview of core registry files and new values
of forensic interest pertaining to user activity on a Windows 8 system.
Prerequisites:
To obtain the maximum benefit from this course, you should meet the following requirements:
Able to understand course curriculum presented in English
Attendance at the AccessData Forensic BootCamp or equivalent experience with FTK, FTK
Imager, and Registry Viewer.
Familiarity with Windows NT file system (NTFS) mechanics
Familiarity with the Microsoft Windows environment and Windows forensic analysis
Basic knowledge of computer forensic investigations and acquisition procedures
Knowledge of Microsoft Windows environment
Class Materials and Software:
You will receive the associated materials prior to the course.
During this three-day course, participants will review the following:
Windows 8 File Structure Changes
o Folder Structures
o PageFile and SwapFile functions
o ToGo feature
o BitLocker updates
o Cloud integration overview
o Thumbnail caching
o PC Refresh options
GUID partition table schema
Immersive applications and their associated artifacts
Internet Explorer 10 and 11 forensic analysis
File History and System Restore Points
Storage Options
o Storage Spaces
o VHDx format
Windows 8 Registry structure and artifacts
Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties,
express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK,
LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States
and/or other countries. Other trademarks referenced are property of their respective owners.
Windows 8 Forensics
Advanced Three-Day Instructor-Led Course
For more information contact: info@syntricate.com
(Continued)
Module 1: Introduction
Topics:
Introductions
Class materials and software
Prerequisites
Class outline
Helpful Information
Lab:
Check system information
Select Windows Explorer display preferences
Prepare your system
Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties,
express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK,
LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States
and/or other countries. Other trademarks referenced are property of their respective owners.
Windows 8 Forensics
Advanced Three-Day Instructor-Led Course
For more information contact: info@syntricate.com
(Continued)
Discuss the correlation between a Storage
Pool and NTFS
Discuss best practices in processing a
Storage Space
Examine Windows Event Logs for elements
of storage mounting events
Lab:
Recover IEv10 artifacts from the directory
structure
Recover artifacts from Exchange Database
(EDB) files
Module 6: Windows 8 File History and System Restore
Points
Objectives:
Describe how a Windows 8 user initiates File
History
Discuss the location choices a user is presented
with when determining backup storage
Identify artifacts located in the users profile
Describe the processing of File History
administrative data
Identify version dates of backed-up files
Review Windows Event Logs for File History
actions
Recognize Registry data pertaining to system
and user preferences for the file history function
Lab:
Locate file history artifacts in the users profile
Review the USB device file history
Locate artifacts on the file history backup volume
Locate file history artifacts in the event log
Locate file history artifacts in the Windows
registry
Lab:
Use the OS to create a Storage Pool
Process a Virtual Hard Disk (VHD) in FTK
Locate VHD artifacts in the Windows
registry
Locate jump list artifacts
Locate VHD artifacts in the event log
Identify a Storage Pool
Module 8: Windows 8 Registry Introduction
Objectives:
Define the Windows registry structure and
function
List the forensic benefits of the registry
Identify the hives that make up the registry
and list the types of information associated
with each hive
Discuss navigating the registry using
traditional tools and Registry Viewer
Define different methods for obtaining both
live registry files and registry files from an
image
Categorize the three different methods of
searching for data in Registry Viewer
Lab:
Use FTK Imager to gather registry files
from the local machine
Create reports in Registry Viewer
Create a Summary report
Create a Summary report using wildcards
Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties,
express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK,
LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States
and/or other countries. Other trademarks referenced are property of their respective owners.
Windows 8 Forensics
Advanced Three-Day Instructor-Led Course
For more information contact: info@syntricate.com
(Continued)
Module 9: Windows 8 Registry Artifacts
Objectives:
Define new forensic values found in the core
system and user related registry files:
o SAM
o SYSTEM
o SOFTWARE
o NTUSER.DAT
o UsrClasses.DAT
o Settings.DAT
Lab:
Locate artifacts in the following registry files:
o SAM
o SYSTEM
o SOFTWARE
o BBI
o NTUSER.DAT
o UsrClasses.DAT
o Settings.DAT
o Amcache
Module 10: Windows 8 PC Refresh
Objectives:
Reset or refresh your computer
Understand the issues surrounding PC Refresh
Lab:
Examine Reset artifacts
Module 11: Final Exercise
Objectives:
This module allows participants to apply
information from the course to recover Windows 8
artifacts from a sample image file.
Some topics and items in this class syllabus are subject to change. This document is for information purposes only. Syntricate makes no warranties,
express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK,
LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData, Inc. in the United States
and/or other countries. Other trademarks referenced are property of their respective owners.